New Page Rule -> your.site/*.png (or jpg, gif, etc)
Cache Level: Everything
Edge Cache TTL: (some large value, an hour maybe)
This will make sure you don't serve any given image more than once per hour, and the rest of the requests will get served CF's edge cache.
I think the difference here is that apps getting uploaded to the app store have static analysis run on them looking for unauthorized calls. Still doesn't rule it out, but adds an extra check to the process.